You're right about checking files uploaded from the wild, but, the checking now is done to ensure that it is a valid jpeg file (header check) and then, to be sure, there is some re-sizing done, so if it is not a jpeg, then well, the code returns a fail on the upload and it is never posted as a graphic.
In this new vulnerability, it is my impression that this virus is part of a valid jpeg, which is where my original query about the pattern matching comes in (which is what virus software does anyway right?). Just in this case, there is no AV software running on the web server, just the upload manager that ensures the files are valid jpegs.
Also, anyone know of a code chunk that can be scanned for to see if a jpeg contains this virus?
Thanks again for comments,